One of those terms that get bounced around a lot, in discussions of malware is whether that threat is “in the wild.” But what does that actually mean? If your thoughts go to Jaques Cousteau or Mutual of Omaha’s Wild Kingdom, you’re on the right track. It’s meant to differentiate from malware that has affected real people’s machines and threats that only exist “in the zoo”: that is to say, only in research labs.
In the Beginning
Once upon a time, there was an independent organization that was called the Wildlist, which produced a report by the same name. Every month, a list was compiled of all the viruses (not Trojans yet) that had been reported to their list of reporters. The Wildlist reporters were trusted researchers from around the industry – not just from AV vendors, but also from companies that had a good view into what was affecting corporate as well as home users.
To make the “main list,” a threat had to be reported at least two times to two separate reporters. Reporters would note how many times viruses were reported to them, and in what countries, for every threat they encountered more than once. They would take and replicate the virus samples to verify that they were valid infections (and so that the sample would be in a neutral, standard file without user-info attached, if possible). Then they would send this collection in every month. The idea is that this would create a fairly representative list of what was affecting users.
There were plenty of threats that did not make the main list because they were not reported twice. These would be noted on the Extended Wildlist. But you’ll note, this did not include everything a reporter received only once. The list was not meant to be exhaustive because there are always plenty of cases of infections that exist only on someone’s machine that was stored in some far-off corner, with a virus that was last prevalent ten years ago. There is no way of saying conclusively that a virus only exists “in the zoo” – the idea was to report those things that people were more likely to run across.
The Present Tense
Many years later, the malware world has changed quite a bit. Trojans used to be something that people quibbled about including in anti-virus products (because they’re not viruses, see…). Now Trojans make up the bulk of files detected by those same products (even though most folks still usually refer to them as anti-virus products, rather than anti-malware products). The tactics of malware writers has changed so that thousands of new variants are pumped out for many major malware families. Speed and stealth are the order of the day, not prevalence. The overwhelming numbers of malware samples that are found every day, particularly for Windows and Android, have made gathering such a list effectively impossible.
That doesn’t mean the information about threats affecting real people is any less valuable than it was 10 or 20 years ago. But now it’s less official, and more reflective of whether a threat has or likely could affect a large number of customers. We still get some threats that are “zoo threats,” especially in Mac-land where overall prevalence is low enough that people are still interested in creating “proof of concept” threats to show that it can be done. We report in each malware alert whether we have seen evidence that this threat is affecting real customers or if it is not yet known to be in the wild. This way you can determine how urgently you need to prepare yourself or if you should just update your virus definitions as normal.